Fraudster capabilities and very suspicious account activity

Nasqueron

TechGuy2012 said:

Nasqueron said:

All I can put this down to is either the business owner has been unwittingly compromised  somehow (still doesn't explain the second set of withdrawals), internal fraud at the bank or a serious security flaw at the bank.

It's definitely the first, he is either not being honest with you or someone has access to his phone or accounts or machine. You don't mention the bank but most of them require approval/authentication in the app for a new payee e.g. biometrics, face ID etc

So I couldn't wait and messaged him. He has a security token (one of those little calculators), which he has to use every time he logs in and to generate new payee's. It generates a code to enter.
So has that been compromised?

Again you're assuming this is some security or technical failure on the bank side - it's certainly not impossible but the idea that a hacker would break into a bank's security, copy a card details, make their own card, physically go around shops spending on it (massive risk of ID from CCTV, tracking etc) then put it in their own cloned card reader, hack into your friend's bank account and setup new payees inside the account and move the money out is astonishingly small.

Almost certainly your friend is either part of this (perhaps as victim of a scam like where he thinks his money has been stolen and he needs to move it to another bank), or someone close to him is doing it, or his card has been compromised and he's not telling you all the details as the number of steps needed to be successfully completed to get to this point (including using a card reader to setup new payees) requires a level of skill that said person would not have the aim of stealing a few thousand from one private bank account. Can he setup new payees in the app without the reader, I know I can on my Co-Op account

DullGreyGuy

km1500 said:

to answer one of your specific questions yes it is possible to make a card contactless by just knowing the card details I do it all the time you basically add it to Google pay or Apple pay or whatever

however it's not that simple there is an authorization step to get through to enable it to be added

You are not correct @km1500, you cannot make a contactless card using just the basic card details. 

You can add a card to ApplePay etc using just the basic details but banks then use a 2nd form of verification to set the card up in the system. Once the security has been passed the bank then transfer the necessary information across... certainly with ApplePay the phone holds a different card number to the physical card along with the other security aspects you are unaware of; dont know with GooglePay if it also gets a different number

TechGuy2012

sheramber said:

Do you not have to enter the vard into the security device to get the code?

I have to put my card in mine. 

No, the card is not used on Co-op device.

TechGuy2012

I've seen on the Co-op website that business accounts do not allow Google/Apple pay!
So, unless that is a recent policy change, means either the real card was used are a second card has been linked to the account. Or of course there's some dishonesty somewhere!
The more I find out, the more I have the desire to find out whats really happened here. I doubt it was the business owner as he's only approached me as a sounding board. But at this stage I'm not ruling anything out. I will learn more tonight.

km1500

DullGreyGuy said:

km1500 said:

to answer one of your specific questions yes it is possible to make a card contactless by just knowing the card details I do it all the time you basically add it to Google pay or Apple pay or whatever

however it's not that simple there is an authorization step to get through to enable it to be added

You are not correct @km1500, you cannot make a contactless card using just the basic card details. 

You can add a card to ApplePay etc using just the basic details but banks then use a 2nd form of verification to set the card up in the system. Once the security has been passed the bank then transfer the necessary information across... certainly with ApplePay the phone holds a different card number to the physical card along with the other security aspects you are unaware of; dont know with GooglePay if it also gets a different number

yes as I said you need authorisation steps

TechGuy2012

So a quick update on this:
The previous card fraud (what we thought was contactless card clone) cannot be confirmed with the statement as contactless payments as it simply shows it was a card transaction, this probably means that is what it was a cloned card, just a but odd all transactions were kept below £100. Wouldn't this require the pin number though? Still a bit odd, however the least of his worries as that has been refunded!

Now the interesting bit regarding the internet banking transfers (we think).
It turns out the the business owner received a phone call 4 days in advance of the fraud occurring, warning him there was fraudulent activity on the account, he doesn't recall giving any security details out and did phone the bank back to make sure it was them. They told him it wasn't them and said a temporary stop would be put on the account whilst it was investigated. HOWEVER, I've heard of a scam where the scammer holds the line, then pretends to be the bank when the customer phones back, this could have been an entry point?

Could the scammer have then used telephone banking and requested a new code generator to a new address?
Seems crazy the bank would do this!

Additionally the code generator is kept under CCTV, whilst I was there, we checked the footage which confirmed nobody accessed the code generator when the new payee's were added (circa 2am when several text messages were received) right until the morning when he logged on to find the missing money.
That morning he phoned the bank up via 159 to report the fraud and was told the account had been put on stop, the only other person with access to the account also witnessed this on speakerphone, the following night the account was emptied. How can this happen?

It also turns out he does not have the phone app for internet banking installed so also couldn't have been his phone that was compromised.

So I can only put this down to the scammer getting telephone banking security details and doing it all over the phone or the scammer has managed to get a code generator. Both of which seem crazy that the bank would allow this!

The bank are keeping quiet despite several request to chase this up with them.

As a point of interest the owner printed off the statement showing the fraudulent transaction before the account really was put on stop, it has 3 names of what looks like personal accounts, interestingly, one name looks Spanish, one eastern European and one Asian. Coordinated international criminal gang springs to mind!

In summary, I may have found how its been achieved/started, but find it hard to believe it was allowed to happen and continue even following the account been stopped by the bank.

For me this is screaming out an inside job or a serious security flaw at the bank. I know that's a bold statement but why on earth don't the bank give any explanation as to how this has happened, its' in their best interests to educate their customers!

Any thoughts welcome.

eskbanker

TechGuy2012 said:

why on earth don't the bank give any explanation as to how this has happened, its' in their best interests to educate their customers!

It really isn't in any bank's interests to divulge details of their internal security processes!

PloughmansLunch

TechGuy2012 said:

...
That morning he phoned the bank up via 159 to report the fraud and was told the account had been put on stop, the only other person with access to the account also witnessed this on speakerphone, the following night the account was emptied. How can this happen?

Who is this other person? Is it a joint signatory account / multiple debit cards?

TechGuy2012 said:

...
That morning he phoned the bank up via 159 to report the fraud and was told the account had been put on stop, the only other person with access to the account also witnessed this on speakerphone, the following night the account was emptied. How can this happen?

It also turns out he does not have the phone app for internet banking installed so also couldn't have been his phone that was compromised.

Your first post said 'Due to the previous experience he set up the online banking app', does this mean the other person who has access does have the app (and therefore presumably wouldn't need the code generator)? I'm not trying to point fingers, but there's another potential point of failure if it's not just the owner with sole access.

born_again

TechGuy2012 said:

So a quick update on this:
The previous card fraud (what we thought was contactless card clone) cannot be confirmed with the statement as contactless payments as it simply shows it was a card transaction, this probably means that is what it was a cloned card, just a but odd all transactions were kept below £100. Wouldn't this require the pin number though? Still a bit odd, however the least of his worries as that has been refunded!

Now the interesting bit regarding the internet banking transfers (we think).
It turns out the the business owner received a phone call 4 days in advance of the fraud occurring, warning him there was fraudulent activity on the account, he doesn't recall giving any security details out and did phone the bank back to make sure it was them. They told him it wasn't them and said a temporary stop would be put on the account whilst it was investigated. HOWEVER, I've heard of a scam where the scammer holds the line, then pretends to be the bank when the customer phones back, this could have been an entry point?

Could the scammer have then used telephone banking and requested a new code generator to a new address?
Seems crazy the bank would do this!

Additionally the code generator is kept under CCTV, whilst I was there, we checked the footage which confirmed nobody accessed the code generator when the new payee's were added (circa 2am when several text messages were received) right until the morning when he logged on to find the missing money.
That morning he phoned the bank up via 159 to report the fraud and was told the account had been put on stop, the only other person with access to the account also witnessed this on speakerphone, the following night the account was emptied. How can this happen?

It also turns out he does not have the phone app for internet banking installed so also couldn't have been his phone that was compromised.

So I can only put this down to the scammer getting telephone banking security details and doing it all over the phone or the scammer has managed to get a code generator. Both of which seem crazy that the bank would allow this!

The bank are keeping quiet despite several request to chase this up with them.

As a point of interest the owner printed off the statement showing the fraudulent transaction before the account really was put on stop, it has 3 names of what looks like personal accounts, interestingly, one name looks Spanish, one eastern European and one Asian. Coordinated international criminal gang springs to mind!

In summary, I may have found how its been achieved/started, but find it hard to believe it was allowed to happen and continue even following the account been stopped by the bank.

For me this is screaming out an inside job or a serious security flaw at the bank. I know that's a bold statement but why on earth don't the bank give any explanation as to how this has happened, its' in their best interests to educate their customers!

Any thoughts welcome.

So the phone call 4 days previous. How did they pass security? As no way would a bank call a customer & not take them through security. You have to know you re speaking to customer.

Best guess they have not been speaking to bank, but fraudsters.

Have the bank confirmed that the date the account was locked down?

Why the hang up on sub £100 & contactless or PIN?
Statements will show how payments are made. So debit card usually has DEB for card payment ))) for contactless, FP for a faster payment.


To educate customers. They have a dedicated page all about protecting yourself.

https://www.co-operativebank.co.uk/help-and-support/fraud-and-security/learn-about-fraud/#:~:text=Scammers are posing as us.&text=We'll never ask you,your security or financial information.&text=Never tell anyone your Online,a text or an email.

TechGuy2012

PloughmansLunch said:

Who is this other person? Is it a joint signatory account / multiple debit cards?

Your first post said 'Due to the previous experience he set up the online banking app', does this mean the other person who has access does have the app (and therefore presumably wouldn't need the code generator)? I'm not trying to point fingers, but there's another potential point of failure if it's not just the owner with sole access.

It's a business account, there are 2 people named on the account. But, there is only 1 issued card for the account and 1 code generator.

It was my misunderstanding regarding the banking app (I thought it was a notification they had when the new payee's were setup but it was simply text messages), neither person listed on the account has the app installed or setup.

@born_again
The hang up with the previous card fraud was curiosity really, and knowing how it happened might just save someone else from falling foul!

I don't know the answer to the other 2 questions but I'll certainly try to find out. It all depends on how much information the bank divulges, so far its been next to nothing.

As you can guess from my user name, I'm all up for tech to make managing your money easier but quite frankly I'm beginning to see merit in stuffing your mattress with your life savings. lol.